Opened 4 years ago
Closed 3 years ago
#1245 closed Bug / Defect (worksforme)
segfault error 14 in liblber-2.4.so.2.10.8
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | Generic / unclassified | Version: | OpenVPN 2.4.8 (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | segfault liblber |
| Cc: | bmccord@… |
Description
Ubuntu 18.04.3 running OpenVPN 2.4.8. Server uses LDAP for authentication and periodically (about once every few days) stops authenticating users. Leading up to this issue, we sometimes see users attempt to authenticate with invalid credentials. In the logs we see the following variations of errors :
Dec 18 13:21:31 sfo-openvpn1 openvpn[77827]: pam_ldap: error trying to bind as user "cn=someuser,ou=people,dc=somedomain,dc=com" (Invalid credentials)
Dec 18 13:21:33 kernel: [3326305.784762] openvpn[44256]: segfault at 7f0bbeba6fc7 ip 00007f0bbeba6fc7 sp 00007f0bb4d82dc0 error 14 in liblber-2.4.so.2.10.8[7f0bbf1fe000+d000]
Dec 19 00:02:03 openvpn[124002]: pam_ldap: error trying to bind as user "cn=someuser,ou=people,dc=somedomain,dc=com" (Invalid credentials)
Dec 19 00:02:12 kernel: [3364744.281920] openvpn[124253]: segfault at 7f570ed8ffc7 ip 00007f570ed8ffc7 sp 00007f570539ddc0 error 14 in libcap-ng.so.0.0.0[7f570fc5d000+4000]
We have upgraded all system libraries and recompiled the latest available version of OpenVPN. It should be noted that we use the Viscosity client with Yubikeys, and thus have server side tokens enabled.
Chris
Change History (3)
comment:1 Changed 4 years ago by
comment:2 Changed 4 years ago by
As a workaround if you are using plugin-auth-pam, you can use the plugin from the 2.5 release, which can do async/deferred authentication. This will make all the PAM stuff happen in its own process, and if that crashes, it will not affect other users, just this single session.
If you use the LDAP plugin, you need to take this up with its developers.
comment:3 Changed 3 years ago by
| Milestone: | release 2.4.8 |
|---|---|
| Resolution: | → worksforme |
| Status: | new → closed |
Closing this as part of my "milestone" cleanup (milestones are not for "I saw this in this version" but "it should be fixed before *that* version").
I'm not sure if async plugin-auth-pam would have actually helped (while PAM is happening in a dedicated process, it's actually the long-running background process - and if that crashes, the async bits do not help).
But anyway, this needs fixing on the LDAP client side, not in OpenVPN.
Are you using plugin-auth-pam to authenticate or the LDAP plugin (https://packages.debian.org/jessie/openvpn-auth-ldap) directly?
This smells like a bug in the ldap glue libraries, passing invalid data to the LDAP libraries in case "something invalid" is passed (too-long password?).